Received: by 10.223.164.202 with SMTP id h10csp1083343wrb; Thu, 9 Nov 2017 21:07:05 -0800 (PST) X-Google-Smtp-Source: ABhQp+RFgf6NrTF8lnDgF0NcItSsM01TlwJxE4npiWIZUd7GiATlx6twKfQ+MOCoCq34Er0IN15i X-Received: by 10.84.136.135 with SMTP id 7mr2956417pll.392.1510290425564; Thu, 09 Nov 2017 21:07:05 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1510290425; cv=none; d=google.com; s=arc-20160816; b=yTlMS/+/rei90noNYwtSI8P7T9AtuHkkwia8OBCiaWCMlr5SPFoLyZ5SSjILMwdEVY i7c0237NIuodjQAKUYananamJXdMiah8EZHKaihka2H0TMpBeHTjkU4y+eHOYDYk4TFT 67wox6lWo4U/+eS7htEirdvFNGdce7U7PJ7KsebJGgmhygVGLrJMt9GPAeKtcfSLzhKz e0RUE4GQ/MhpDourktHfNgNZiqTzjqZVnqPZm5XLW1JCIFz2CIsY6X2PiDN62IDhc3Pi 5YrdT9L/tZ4KFG0wMst69gchIu0riM4wn78tQPBoVX3lZTN8nQd+xUaOpeaCPfMdMK0M xD+g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:references:in-reply-to:mime-version :dkim-signature:arc-authentication-results; bh=hVPll2P6Ir+WadyT91rmTl+xZdy8zcx744iXbp79+Sk=; b=rfEROaYSkH2dSjVT0mwyxtfscq4mI/M8PVUhApHMsYFyMUkHHB+EqMBDQlo+tTtMU9 h3QjlzgZdNuczeeqxSenpqwr8r7jFBXOMCQAWlVtj/a9tathIPBz5huwBOE/KcyBL/Pl /2B3zLW7FbAWbtMxRdJrPyCJnHuFkIlNh/G1KHkbiCHfPiNiBNu72B3qV5HLT61WWeNt LxtDAyoSELb7nnfbTmEwOMv7oqGY7r9purNiynuk+cz6mN25aOAmlMF2+Zqx5L/n0zNh y7147IilLjLuW2lYH6CeZGczMF2tQd3wW8/FZQOMye5nDCI82OoxKir+iz8i57MU/IJ0 GobA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=cJV/3DjL; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k2si7839311plt.571.2017.11.09.21.06.53; Thu, 09 Nov 2017 21:07:05 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=cJV/3DjL; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751094AbdKJFGP (ORCPT + 83 others); Fri, 10 Nov 2017 00:06:15 -0500 Received: from mail-yw0-f173.google.com ([209.85.161.173]:55008 "EHLO mail-yw0-f173.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750732AbdKJFGN (ORCPT ); Fri, 10 Nov 2017 00:06:13 -0500 Received: by mail-yw0-f173.google.com with SMTP id d2so2724076ywb.11 for ; Thu, 09 Nov 2017 21:06:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=hVPll2P6Ir+WadyT91rmTl+xZdy8zcx744iXbp79+Sk=; b=cJV/3DjLd+OPm/efFFVukUTGl8HPhYS7j6lQpT2nGlslt1DOKpVwjYRpb5IDIFSl3p d9AwKFzf2CH5cNq+JCnb7jd+DbNzg4BWCs1NuzjIpWX9rHvCpo1ahzZ1ZasB015+4JdR j+O4s1BGY647FlkrcMRURf8Qds/5p84SaRIcqZ6FmMT5xc0JLSA/tuq4hnUjP3+wkj+a yQXEhYoSAAnlCDZU/CDF/CjvEc4bAdLD+azNMOAkeE1nmnnfqkALgeChOO3vHjEweEyJ tXnvRJ9nFI5QlOe9yrNkItKDpMlLsZOHWEEK8WP64D0AGCLJb8kYg+AKEKhWX7mLCc8/ VFFQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=hVPll2P6Ir+WadyT91rmTl+xZdy8zcx744iXbp79+Sk=; b=VAgbvTviPvSEgjDPKDonhB3XBTDETfquzk4hDenAXkPB1wp7rEUZP/JgbAM7sHNWOk WhOEclI+XBnWNo0MiRi5bBLQun8Qr7Mv76wDf69/wn23w8cT9FtSlfEzd9MteYg4ZthT csy3QLaIYYKOy/RN4gJpbf/xk+Vvl5ds6jB/IgrwrtyIzhqAWDh6Wo8yl0hBFas/rt9g pxL4ZxFK+xkkIT8EAdC4D7JD04bn/lKeIo/GEB4A5IMyc/+5bmBR3dM66/3P4WFjWzMm 1MXt4VdeA3CU96BsErxgyFb8dI6BgtQB2KX0pmDZSxWzwHs+6IQknmVY+3AOHcN/OQCB YOTw== X-Gm-Message-State: AJaThX4vSuc8hToOnwlYSw/ZT9Nac7E4mecz14uF7iWzh6FAly3S91PB mbFqozLFhO8YkdR9lLXuEIHcBF+OpyJDU5DWW6PABg== X-Received: by 10.37.4.129 with SMTP id 123mr1911003ybe.194.1510290372390; Thu, 09 Nov 2017 21:06:12 -0800 (PST) MIME-Version: 1.0 Received: by 10.37.131.198 with HTTP; Thu, 9 Nov 2017 21:05:51 -0800 (PST) In-Reply-To: <20171110043010.GA3572@mail.hallyn.com> References: <20171103004433.39954-1-mahesh@bandewar.net> <20171109172201.GA26229@mail.hallyn.com> <20171110043010.GA3572@mail.hallyn.com> From: =?UTF-8?B?TWFoZXNoIEJhbmRld2FyICjgpK7gpLngpYfgpLYg4KSs4KSC4KSh4KWH4KS14KS+4KSwKQ==?= Date: Fri, 10 Nov 2017 14:05:51 +0900 Message-ID: Subject: Re: [PATCH resend 1/2] capability: introduce sysctl for controlled user-ns capability whitelist To: "Serge E. Hallyn" Cc: Mahesh Bandewar , LKML , Netdev , Kernel-hardening , Linux API , Kees Cook , "Eric W . Biederman" , Eric Dumazet , David Miller Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Nov 10, 2017 at 1:30 PM, Serge E. Hallyn wrote: > Quoting Mahesh Bandewar (=E0=A4=AE=E0=A4=B9=E0=A5=87=E0=A4=B6 =E0=A4=AC= =E0=A4=82=E0=A4=A1=E0=A5=87=E0=A4=B5=E0=A4=BE=E0=A4=B0) (maheshb@google.com= ): > ... >> >> >> >> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >> >> >> >> +controlled_userns_caps_whitelist >> >> + >> >> +Capability mask that is whitelisted for "controlled" user namespaces= . >> >> +Any capability that is missing from this mask will not be allowed to >> >> +any process that is attached to a controlled-userns. e.g. if CAP_NET= _RAW >> >> +is not part of this mask, then processes running inside any controll= ed >> >> +userns's will not be allowed to perform action that needs CAP_NET_RA= W >> >> +capability. However, processes that are attached to a parent user-ns >> >> +hierarchy that is *not* controlled and has CAP_NET_RAW can continue >> >> +performing those actions. User-namespaces are marked "controlled" at >> >> +the time of their creation based on the capabilities of the creator. >> >> +A process that does not have CAP_SYS_ADMIN will create user-namespac= es >> >> +that are controlled. >> > >> > Hm. I think that's fine (the way 'controlled' user namespaces are >> > defined), but that is design decision in itself, and should perhaps be >> > discussed. >> > >> > Did you consider other ways? What about using CAP_SETPCAP? >> > >> I did try other ways e.g. using another bounding-set etc. but >> eventually settled with this approach because of main two properties - > > No, I meant did you try other ways of defining a controlled user > namespace, other than one which is created by a task lacking > CAP_SYS_ADMIN? > SYS_ADMIN is the capability that has been used for deciding who can or cannot create namespaces, so didn't want to create another model that may not be compatible with current model which is well understood hence no. > ... > >> >> +The value is expressed as two comma separated hex words (u32). This >> > >> > Why comma separated? whitespace ok? Leading 0x ok? What is the >> > default at boot? (Obviously the patch tells me, I'm asking for it >> > to be spelled out in the doc) >> > >> I tried multiple ways including representing capabilities in >> string/name form for better readability but didn't want to add >> additional complexities of dealing with strings and possible >> string-related-issues for this. Also didn't want to reinvent the new >> form so settled with something that is widely used (cpu >> bounding/affinity/irq mapping etc.) and is capable of handling growing >> bit set (currently 37 but possibly more later). > > Ok, thanks. From 1583652100639985856@xxx Fri Nov 10 04:32:14 +0000 2017 X-GM-THRID: 1583003684527762870 X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread